More
than a Million Pro-Repeal Net Neutrality Comments were LikelyFaked

NY Attorney General
Schneiderman estimated
that hundreds of thousands of Americans’ identities were stolen
and used in spam campaigns that support repealing net neutrality. My
research found at least 1.3 million fake pro-repeal comments,
with suspicions about many more. In fact, the sum of fake pro-repeal
comments in the proceeding may number in the millions. In this post,
I will point out one particularly egregious spambot submission, make
the case that there are likely many more pro-repeal spambots yet to
be confirmed, and estimate the public position on net neutrality in
the “organic” public submissions.¹

It takes very little to complete a full dossier.
(And my new favorite phrase!)

KrebsOnSecurity has sought to call attention to
online services which expose sensitive consumer data if the user
knows a handful of static details about a person that are broadly for
sale in the cybercrime underground, such as name,
date of birth, and Social Security Number. Perhaps the
most eye-opening example of this is on display at fafsa.ed.gov,
the Web site set up by the U.S.
Department of Education for anyone interested in
applying for federal student financial aid.

Short for the Free
Application for Federal Student Aid,
FAFSA is an extremely lengthy and detailed form required at all
colleges that accept and award federal aid to students.

Visitors to the login page for FAFSA have two
options: Enter either the student’s FSA ID and password, or choose
“enter the student’s information.” Selecting the latter brings
up a prompt to enter the student’s first and last name, followed by
their date of birth and Social Security Number.

Anyone who successfully supplies that information
on a student who has applied for financial aid through FAFSA then
gets to see a
virtual colonoscopy of personal information on that
individual and their family’s finances — including almost 200
different data elements.

… I don't find the “right to be secure”
argument persuasive, and I thought I would say why. Here's the
relevant text:

The right of the people to be secure in their persons, houses,
papers, and effects, against unreasonable searches and seizures,
shall not be violated[.]

That text does not provide for some sort of
general “right to be secure.” Rather, the text is much more
specific. It states that “the people” have a right “to be
secure” in particular things (“in their persons, houses, papers,
and effects”) against something specific (“unreasonable searches
and seizures”). In ordinary language, if you have a right to be
secure against some specific bad thing, you don't have a general
right to be secure. You just have a right to be secure against that
specific bad thing. Your right is violated if the bad thing happens.
If the bad thing doesn't happen, your right isn't violated.

The new personnel, who
will work for a service provider called CCC out of a new office in
the western city of Essen that opened on Thursday, will be
responsible for reviewing content posted to the social media
platform.

The new law, passed by the German parliament in
June, requires social media sites to remove flagged content within 24
hours when the content is obviously illegal. Companies have a week to
remove more ambiguous cases.

It threatens fines of
up to 50 million euros ($59 million) for persistent failure to remove
illegal content.

SoftBank knew about the
massive hack Uber suffered in late 2016 before details of the
incident were publicly revealed on Tuesday, the ride-hailing company
confirmed in a statement issued to Bloomberg. The breach that
compromised approximately seven million drivers and 50 million riders
was disclosed to the Japanese conglomerate as part of its due
diligence investigation into the world’s most
valuable startup which it intends to back with around $10 billion
in the near future, seeking to gain at least a 14 percent stake in
it. As per a statement from an Uber official, the information that
was given to SoftBank was still “incomplete” as the firm didn’t
conclude its investigation into the matter at that time, but the
management opted for disclosure in an
effort of negotiating with a potential investor in good faith.

Interesting, but when every website alerts you I
suspect most people will remove the addon.

Mozilla is joining hands with popular data breach notification
website HaveIBeenPwned.com
(HIBP) to send an in-browser alert to Firefox browser users if
they are visiting a site that was previously hacked and whether their
login credentials have been involved in a data breach.

“This is an addon that I’m going to be using for prototyping an
upcoming feature in Firefox that notifies users when their
credentials have possibly been involved in a data breach,” Mozilla
developer Nihanth Subramanya wrote
in his Github repository.

ICE
asks tech companies to help them track visa holders on social media

… ICE officials explained at a conference last
week that they are hoping to develop algorithms that would assess
potential threats posed by visa holders, and conduct social media
surveillance of those deemed high risk. Microsoft, Deloitte and
Motorola Solutions were among the companies in attendance.

… Carissa Cutrell, a spokeswoman for ICE, told
ProPublica that the Department of Homeland Security has not actually
begun building such a program, but was simply gathering information
from industry leaders.

ICE officials told tech companies last week that
the department hopes to get automated notifications about any visa
holders’ social media activity. ICE already monitors some social
media posts, but plans to expand its operation.

Thursday, November 23, 2017

So, how is that “Don’t tell anyone we’ve been breached”
tactic working for you?
http://thehill.com/policy/technology/361582-multiple-countries-launch-probes-into-uber-breachMultiple
countries launch probes into Uber breach
Multiple countries are launching probes into Uber after a report
revealed that it had covered
up a massive cyber attack that exposed the data of 57 million
passengers and drivers last year.
According
to Reuters, four countries — the United States, the United
Kingdom, Australia and the Philippines — have vowed to investigate
the matter.
At the same time, attorneys general in multiple U.S. states,
including New York, Illinois and Connecticut, have begun
investigating the hack, and some lawmakers are calling on the Federal
Trade Commission (FTC) to launch a probe of Uber.

Each new technology must learn the security lessons older
technologies have learned.
http://www.securityweek.com/curing-security-sickness-medical-devicesCuring The Security
Sickness in Medical DevicesJust
as the rapid development of the Internet of Things (IoT) has
transformed traditional industries and service sectors, it is also
having a great impact in the world of healthcare. It’s easy to
argue, in fact, that no area is being transformed by digital
technologies as rapidly or with as many benefits for society as new
medical technologies. But
the understandable desire to press ahead and unlock those benefits
has led to a lack of scrutiny on the subject of digital security in
devices for treatment and monitoring, and a spate of high profile
problems in the area has begun to concern many. In the US, the Food
and Drug Agency (FDA) has issued formal warnings about cybersecurity
vulnerabilities in four separate products in the last 18 months. It
has also hosted an array of consultations and workshops focussing on
the cybersecurity of medical devices. The most recent product notice
from the FDA, regarding an exploitable
flaw in connected cardiac pacemakers, seems to be finally waking
the industry up to the threats that connected technologies bring.

For
my students. Google
Has Some Great Advice for Your Tech Career
… The Google
Tech Dev Guide is a must-read if you are considering a
career in technology, or even if you’re already a few years into
one.
Google’s Guide to Technical Development is a curated resource of
materials that will help you learn the right topics in computer
science. Think of them as “learning paths” to follow for
teaching yourself pro-level skills.
These are the skills Google thinks you should have —
not to become a Google Developer (though, that’s achievable) but to
become a well-rounded student, educator, or software engineer.
… It includes recommendations for coding in Java, JavaScript,
C++, and Python.

Hackers stole the personal data of 57 million
customers and drivers from Uber
Technologies Inc., a massive breach that the company concealed
for more than a year. This week, the ride-hailing firm ousted its
chief security officer and one of his deputies for their roles in
keeping the hack under wraps, which included a $100,000 payment to
the attackers.

Compromised data from the October 2016 attack
included names, email addresses and phone numbers of 50 million Uber
riders around the world, the company told Bloomberg on Tuesday. The
personal information of about 7 million drivers was accessed as well,
including some 600,000 U.S. driver’s license numbers. No Social
Security numbers, credit card information, trip location details or
other data were taken, Uber said.

At the time of the incident, Uber was negotiating
with U.S. regulators investigating separate claims of privacy
violations. Uber now says it had a legal obligation to report the
hack to regulators and to drivers whose license numbers were taken.
Instead, the company paid hackers to delete the data and keep the
breach quiet. Uber said it believes the information was never used
but declined to disclose the identities of the attackers.

The
chairpersons of the House Science, Space, and Technology Committee
and the House Oversight and Government Reform Committee on Monday
sent a new letter (PDF)
to Paulino Barros, the interim CEO of Equifax.

The
former committee's jurisdiction includes the standards of use for
securing personally identifiable information (PII), while the latter
committee's jurisdiction covers how data breaches impact the federal
workforce and national security. Both are investigating the loss of
PII on 145 million Americans announced by Equifax on September 7,
2017.

This
is not the first letter to Equifax
by chairpersons Lamar Smith (R-Texas) and Trey Gowdy (R-S.C.). They
also wrote (PDF)
on September 14, 2017 requesting 'all documents' relevant to five
specific areas; such as "to and from members of Equifax's
corporate leadership", and "relating to the NIST Framework
or other cybersecurity standards used by Equifax." That
first letter specified no later than September 28, 2017.

It
would seem that Equifax has not yet, or at least not yet
satisfactorily, fulfilled this first request almost eight weeks after
the deadline. "We look forward to Equifax providing
all documents in response to the five categories of requested
materials in the September 14 request, as well as the requests that
were made at subsequent Committee briefings." It adds that the
Committees expect to make additional requests in the future.

In
the meantime, however, it is clear the committees are beginning to
get to grips with the details of both Equifax and the breach.
While the first letter requested 'areas' of documents, the second
letter is far more specific. For example, it asks for documentation
that would allow the identification "of any and all individuals
in an executive leadership role", and those who received the DHS
email alert "regarding Apache Struts 2".

Actually,
he has a few ideas, but it might be amusing to ask my students to
prioritize what Congress should hear.

I'm
Testifying in Front of Congress in Washington DC about Data Breaches
- What Should I Say?

There's
a title I never expected to write! But it's exactly what it sounds
like and on Thursday next week, I'll be up in front of US congress on
the other side of the world testifying
about the impact of data breaches. It's an amazing opportunity
to influence decision makers at the highest levels of government and
frankly, I don't want to stuff it up which is why I'm asking the
question - what should I say?

Cybersecurity:
Cybercrime and National Security Authoritative Reports and Resources

CRS
Reports & Analysis – Cybersecurity: Cybercrime and National
Security Authoritative Reports and Resources. November 14, 2017
(R44408): “As online attacks grow in volume and sophistication, the
United States is expanding its cybersecurity efforts. Cybercriminals
continue to develop new ways to ensnare victims, whereas nation-state
hackers compromise companies, government agencies, and businesses to
create espionage networks and steal information. Threats come from
both criminals and hostile countries, especially China, Russia, Iran,
and North Korea. Much is
written on this topic, and this CRS report directs the reader to
authoritative sources that address many of the most prominent issues.
The annotated descriptions of these sources are listed in reverse
chronological order, with an emphasis on material published in the
past several years. This report includes resources and studies from
government agencies (federal, state, local, and international), think
tanks, academic institutions, news organizations, and other sources…”

Google wants to do what Russia did, but Russia
denies it ever did what Google says it did, so Google should have
just done it and denied it did.

The ominous cloud of doom surrounding the ongoing
U.S. investigations into alleged Russian interference in the 2016
federal elections got a little darker on Tuesday, with Russian state
communications agency Roskomnadzor allegedly threatening retaliation
against Google for suggesting it could lower government-funded
outlets RT and Sputnik in search rankings.

Imagine if someone on that list walked into a
church in Texas and started shooting people…

A new
federal investigation revealed Thursday that VA officials in
Colorado broke agency rules by using an off-the-books system to track
patients who wanted mental-health therapy — a violation that caused
veterans to wait for care and one that recalls past abuses by the
U.S. Department of Veterans Affairs.

Investigators with the VA’s internal watchdog
found that in three separate facilities — Denver, Golden and
Colorado Springs — agency officials did not follow proper protocol
when keeping tabs on patients who sought referrals for treatment of
conditions such as post-traumatic stress disorder.

The practice hindered proper oversight and made it
possible for Colorado veterans to fall through the cracks, wrote
officials with the VA Office of Inspector General, which examined
care at the facilities between October 2015 and September 2016.

New York
attorney general says the FCC won’t help investigate fake net
neutrality comments

New York Attorney General
Eric Schneiderman revealed today that his office has been
investigating a flood of spam
FCC comments that impersonated real people, and criticized the
FCC for withholding useful information. In
an open letter addressing FCC chairman Ajit Pai, Schneiderman
writes that his office has spent six months investigating who
submitted hundreds of thousands of identical anti-net neutrality
comments under the names and addresses of unwitting Americans. But
he says that the FCC has ignored multiple requests for logs and
records, offering “no substantive response.”

Tuesday, November 21, 2017

… In analyzing the top breaches over the past
few years, it is clear that executives make a set of common mistakes,
which is surprising given that so many companies, often led by
otherwise effective leaders, fail to learn from the botched responses
and mishandled situations of the companies that were breached before
them.

Here are the missteps executives make time and
again, and advice for avoiding these pitfalls:

Foot dragging

Poor customer service

Not being transparent

Failing to accept
accountability

Suggests to me that it is possible to secure data
and processes in the cloud.

Amazon’s cloud storage unit announced Monday
that it is releasing a new service called the Amazon Web Services
Secret Region, a cloud storage service designed to handle classified
information for U.S. spy agencies.

The service will be provided to the intelligence
community through an existing $600 million contract with U.S.
intelligence agencies, which has made Amazon a dominant player in
federal IT contracting.

… The announcement comes at a time when
Amazon’s business and government customers are under intense
scrutiny over whether they are storing data securely in the cloud.
Amazon’s cloud-based folders – referred to as “buckets” –
have been at the center of several high-profile security incidents in
recent months, in which customers inadvertently left sensitive
information on an Amazon server in an unprotected format.

“Foreword – On September 14, 2017, the George
Washington University Center for Cyber & Homeland Security (CCHS)
convened a Symposium on Trends in Technology and Digital Security.
Four panels addressed emerging threats and their implications for
security policy, with a focus on digital infrastructure protection
and anticipatory analysis. In addition, a featured speaker from
abroad presented a country-specific case study. In a series of Issue
Briefs, compiled herein, CCHS shares the findings and recommendations
that emerged from the Symposium, primarily on a not-for-attribution
basis. The subject and title of each Brief is as follows:

Methods of
Analysis and the Utility of New Tools for Threat Forecasting

This Cybersecurity
Campaign Playbook was written by a bipartisan team of experts in
cybersecurity, politics, and law to provide simple, actionable ways
of countering the growing cyber threat. Cyber adversaries don’t
discriminate. Campaigns at all levels – not just presidential
campaigns – have been hacked. You
should assume you are a target. While the recommendations
in this playbook apply universally, it is primarily intended for
campaigns that don’t have the resources to hire professional
cybersecurity staff. We offer basic building blocks to a
cybersecurity risk mitigation strategy that people without technical
training can implement (although we include some things which will
require the help of an IT professional). These are baseline
recommendations, not a comprehensive reference to achieve the highest
level of security possible. We encourage all campaigns to enlist
professional input from credentialed IT and cybersecurity
professionals whenever possible…”

So you can’t be someone different (have a public
persona) online? Ask yourself: How can they do this? What tools
will they use?

In perhaps the most intrusive move of
social media platforms’ efforts signal as much virtue as possible
and appease their potentially-regulating government overlords,
Twitter has announced that
it is cracking down on what it defines at hate-speech and not just by
looking at its own site.

In what amounts to a major shift in
Twitter policy, Mashable’s
Kerry Flynn reports that the company announced on Friday thatit will be
monitoring user’s behavior “on and off the platform” and will
suspend a user’s account if they affiliate with violent
organizations, according to an update
to Twitter’s Help Center on Friday.

Mexican
heroin is flooding the US, and the Sinaloa cartel is steering the
flow

… Mexican cartels' shift
to producing heroin — as well as synthetic
drugs like fentanyl — has been driven in part by loosening
marijuana laws in the US, and the Sinaloa cartel appears to be the
main player in a lucrative market.

… the value of marijuana had fallen
considerably — from about $74 a kilo seven years ago to a little
over $26 now — due to marijuana legalization in the US. Falling
prices led many marijuana growers to shift to opium.

Have you made email work for you? Do you spend
the time and effort to make
emails look perfect and professional? There’s an art to it,
but it’s not that difficult. Your reward will the response from
the person you want an answer from.

...Email templates are freely available on the
web. Borrow them and tweak them to your situation.

ProEmailwriter
gives you a neat interface to select the right kind of email template
and use them in your email. The dropdown menu gives you choices for
Topic, Sub-Topic, and Tone. Copy
the one you need and customize it to your situation.

Two weeks ago today, 26 people were killed
by a gunman at First Baptist Church in Sutherland Springs, Texas.
Two phones were discovered at the scene: older push-button LG and
what local news described
as a “blood spattered” Apple iPhone SE. Now local law
enforcement has
served Apple with a search warrant in order to retrieve
information from the smartphone.

… The Tuesday following the murders, the FBI
held a press conference noting the existence of one of two phones,
without revealing the make, as it didn’t want to “tell every bad
guy out there what phone to buy.”

As reported
by The Washington Post, the mystery handset was indeed an
iPhone. Apple reached out to law enforcement after the press
conference, offering
technical assistance in getting onto the device. The company, it
seems, could have provided help early on, without much legal
wrangling or more software controversial backdoors.

I think this is a really bad idea unless you are
highly trained and have some good lawyers on staff. On the other
hand, it would open things up for my Ethical Hackers…

For years now, there has been a discussion
surrounding the feasibility of active cyber defense, and allowing
private entities or individuals to “hack back” against hostile
cyber activity, but there has not been a major push in Congress to
explicitly authorize such activity, or to propose changes or
exceptions under the current legal and statutory framework that would
enable it. But a proposal by Representatives Tom Graves (R-GA),
Kyrsten Sinema (D-AZ), titled the Active Cyber Defense Certainty Act
(ACDC) (H.R.
4036), is starting to change the conversation. The new draft
legislation provides an exception to liability under the Computer
Fraud and Abuse Act (CFAA) and, in essence, would authorize
individuals or organizations to go into networks outside of their own
to gather intelligence on hackers for attributional purposes. To
date, the proposal has undergone at least three rounds of public
scrutiny, after which, to the great credit of Graves’ office, the
draft language has been updated, and it now takes into account some
legitimate concerns and criticisms. Some of these critiques should
be examined carefully, from both a policy and legal perspective, as
the bill makes its way through committee.

“Risk management is not just a compliance
exercise but an opportunity
to gain a competitive advantage. More than ever, legal
departments are playing a significant role in managing risk and
monitoring its effectiveness, especially in the critical area of
cybersecurity. Grant Thornton and Corporate Counsel
magazine recently surveyed over 190 corporate general counsel to
assess their views on the keys to business growth. The topics ranged
from regulatory risk management and risk assessments to cybersecurity
and data analytics. Below are a sampling of insights from Grant
Thornton’s 2017 Corporate General Counsel Survey:

58% of legal
departments are highly involved in responding to data security
risks; nearly a quarter have primary responsibility for the issue

Less
than a quarter of counsel are very satisfied with their
organizaton’s risk assessment

Nearly
three-quarters of legal departments cite cyber issues as a top risk.

Of those very concerned about data
security, only about a third feel adequately prepared

As a result of increasing risk concerns, the role
of the corporate general counsel continues to evolve to include new,
important areas of focus and responsibilities. While maintaining a
firm handle on the traditional functions of the legal department, the
survey reveals that their role is increasingly concerned with
regulation and compliance, as well as data privacy and related
cybersecurity issues.”

... Executives from Facebook, Google and Twitter
testified before lawmakers this month about Russian actors using
their platforms to influence the vote and tried to reassure them they
were taking steps to address the issue.

But lawmakers left the hearings frustrated and say
they want more details from the companies and concrete steps to
prevent interference in the future. Congress is also considering
legislation to toughen disclosure rules for online advertisements.

That threat of tougher regulation has tech firms
scrambling.

A business model for those who are first to
automate what they do well? (As long as we have to do it, can we
sell it?)

The newspaper
created a platform to tackle its own challenges. Then, with
Amazon-like spirit, it realized there was a business in helping other
publishers do the same.

… Since 2014, a new Post operation now called
Arc Publishing has offered the publishing system the company
originally used for WashingtonPost.com
as a service. That allows other news organizations to use the Post’s
tools for writers and editors. Arc also shoulders the responsibility
of ensuring that readers get a snappy, reliable experience when they
visit a site on a PC or mobile device. It’s like a high-end
version of Squarespace
or WordPress.com,
tailored to solve the content problems of a particular industry.

Via LLRX
– The
Use and Abuse of Social Media in the Post-Truth Era – Law
librarian and adjunct professor Paul
Gatz provides important guidance on social media
discourse and information literacy that is especially timely and
instructive as we are experiencing an escalating wave of highly
questionable news and data through sites such as Facebook.

Sunday, November 19, 2017

I just taught my Computer Security class how to
generate RSA public/private keys and encrypt messages. They each
generated a unique encryption key and can keep generating unique
encryption keys until they run out of random numbers. Would the FBI
try to compel me to break that encryption?

Is the
Government Waging an Out-of-Sight Fight With Apple on Encryption?

The Justice Department and Apple
have been locked in a bitter fight for years over the company’s
encryption system, which allows consumers to prevent anyone
—including law enforcement—from opening their devices without
permission. That’s why a security story this week should be
getting more attention than it has.

Titled “Yup: The Government Is Secretly
Hiding Its Crypto Battles In The Secret FISA Court,” the
story appeared on the well-regarded security blog EmptyWheel, and
suggests the Justice Department is using a legal backdoor to force
open software backdoors at companies like Apple.

The details are complex and require some
familiarity with the FISC,
a closed court that oversees top secret intelligence operations, and
with Section
702, an amendment to the Patriot Act that permits certain forms
of warrantless surveillance. But the gist of the story is this: The
Justice Department may be relying on an annual approval process at
the FISC to compel “technical assistance” from Apple and others,
and this assistance may include the breaking of encryption.

… The over-arching issue raised by EmptyWheel
is not whether citizens should have the right to deploy unbreakable
encryption (there are good arguments on each side), but instead that
the government may be settling the debate in secret. The issue of
encryption is too important to be stuffed into secret court
proceedings. Let’s hope the Justice Department finds a way to
debate this in the open.

A
10-Year-Old Used Face ID To Unlock His Mom's iPhone X: Will All
Families Have The Same Problem?

… Attaullah Malik uploaded a video that
demonstrated
how his 10-year-old son, Ammar Malik, was able to unlock the iPhone X
of his wife, Sana Sherwani, through the Face ID feature.

According to Apple, there is a roughly one in 1
million chance that a random person will be able to unlock somebody
else's iPhone X using their face. However, things are different in
the cases of twins, siblings, and children under the age of 13 years
old.

Links

About Me

I live in Centennial Colorado. (I'm not actually 100 years old., but I hope to be some day.) I'm an independant computer consultant, specializing in solving problems that traditional IT personnel tend to have difficulty with... That includes everything from inventorying hardware & software, to converting systems & data, to training end-users. I particularly enjoy taking on projects that IT has attempted several times before with no success. I also teach at two local Universities: everything from Introduction to Microcomputers through Business Continuity and Security Management. My background includes IT Audit, Computer Security, and a variety of unique IT projects.